Customer-managed encryption keys (CMEKs) let you protect data in supported Google Cloud services with a cryptographic key that you control in Cloud KMS. You can configure automatic key rotation on a set schedule, or you can rotate your keys manually. This document explains what happens in a CMEK-integrated service when the underlying Cloud KMS key is rotated.
How key rotation works with CMEK
When you rotate a key in Cloud KMS, Cloud KMS creates a new version of that key. The new key version becomes the primary version and can be used to encrypt the data encryption keys (DEKs) that protect your data. Previous key versions are kept active and are available for decrypting DEKs that were encrypted with them. This process ensures that you can always access your older data.
Different CMEK-integrated services handle key rotation differently, but there are three main patterns:
- New key version protects all data: When the service detects that a new key version has become primary, the service automatically re-encrypts DEKs that were encrypted with the previous key version. DEKs that protect both new data and existing data are encrypted with the current primary key version. Re-encrypting existing DEKs might take some time to complete, but then the previous key version is no longer used.
- New key version is used going forward: When the service detects that a new key version has become primary, subsequent encryption requests use the new key version. DEKs that protect data for this resource use a mix of current and previous key versions.
- New key version is not used: The service continues to encrypt DEKs with the original key version that was configured when the resource was created, regardless of whether new primary key versions exist.
Service-specific behavior after key rotation
The following table shows service-specific rotation behavior for resources that can be protected with CMEKs. The following table describes the rotation details for each resource type or set of resource types:- Can inherit key: Whether the resource can inherit a key from a parent resource.
- Can use unique key: Whether the resource can use its own unique key, not inherited from a parent resource.
- Can change key: Whether you can select a new CMEK to protect the resource while you update the resource.
- New data: Whether new DEKs are encrypted with the primary key version or the original key version that was primary when CMEK was configured for the resource.
- Existing data: Whether existing DEKs are re-encrypted with the primary key version or remain encrypted with the original key version that was primary when CMEK was configured for the resource.
| Service and Resources | Can inherit key | Can use unique key | Can change key | New data | Existing data |
|---|---|---|---|---|---|
Application Integration
|
No | Yes | Yes | Uses new primary key version | Uses original key version |
Cloud Storage
|
No | Yes | Yes | Uses new primary key version | Uses new primary key version |
Cloud Storage
|
Yes | Yes | No | N/A: this resource is immutable. | Uses original key version |
Customer Experience Insights
|
Yes | No | No | Unknown | Unknown |
Filestore
|
No | Yes | No | Uses new primary key version | Uses original key version |
Firestore
|
No | Yes | No | Uses new primary key version | Uses new primary key version |
Gemini Code Assist
|
No | Yes | No | Uses original key version | Uses original key version |
Pub/Sub
|
No | Yes | Yes | Uses new primary key version | Uses original key version |
Speech-to-Text
|
No | Yes | Yes | Uses new primary key version | Uses original key version |
Speech-to-Text
|
Yes | No | Yes | Uses new primary key version | Uses original key version |
What's next
- Learn how to rotate a key.
- Read the Customer-managed encryption keys (CMEK) overview.